Lessons Learned

The layers of controls were just described from the inside out. However, while reacting to Internet threats it is natural to emphasize the outer layer of network controls. With threats escalating and the market for technical solutions expanding, the result can be a hard, crunchy shell around a soft center. This may seem analogous to the fortress castle with the strongest protection at the perimeter, the reality of Internet is that some threat communities have substantial resources resulting in frequent attack leveraging high capabilities; some will get through the perimeter. It is paramount to have effective security controls for all system layers.

The requirement for using complex passwords have been the best practice for many years. Unfortunately, the goal has been difficult to achieve, relying on users to remember multiple passwords that may not be particularly memorable. One of the fundamental control improvements relating to the increased capabilities of threat communities is the implementation of two-factor authentication.

Copyright © 2019 Christopher T. Carlson

Excerpt from How to Manage Cybersecurity Risk – A Security Leader’s Roadmap with Open FAIR

Return to Defense in Depth

Information Systems Protection Requirements

When designing layers of control to protect the confidentiality, integrity and availability of information systems, it is necessary to start with the information and business systems needing protection, designing layers of protection from there. This way you ensure that all the controls are aligned to the objective. The resultant requirements are documented in your organization’s security control framework. Reference Figure 2 as we look at the layers of controls.


Figure 2 IT Security Design Diagram

The fundamental controls for protecting information apply equally to protecting electronic documents and business systems: marking sensitive information and using personnel security controls for people authorized to create, use and share the sensitive information, and who use business systems.

The next layer of controls is physical controls for the hosts containing documents and business systems, which are typically grouped together in a shared hosting environment (in the past these were simply called data centers). A robust physical perimeter and doors controlled to permit access by a very few trusted individuals helps assure confidentiality, integrity and availability of the information systems. In addition, power backup is typically provided to enhance availability.

Business systems may be designed to directly authenticate users or they may rely on an infrastructure authentication capability such as Microsoft Windows Active Directory. Robust design and implementation of the business system application is necessary to reduce vulnerable user interfaces; this is especially relevant should the system be directly accessible from the Internet. Electronic documents are often stored using capabilities such as Microsoft Windows file sharing, which also takes advantage of Active Directory. The secure configuration of the information system host is the next layer of protection.

The information systems in some organizations rely on a single sign-on authentication system, and centralized identity data that includes people data attributes useful in making access decisions. The identity data may be integrated in Active Directory or could be part of a high availability directory service. Integrity and availability of these systems, along with appropriate data quality, are objectives of security controls for this component.

We now move out of the shared hosting environment into other organization facilities. We’ll assume that physical controls for information protection requirements are already in place. These provide some control for the network cables within a building as well as the user workstations connected to the network. Wireless communication between the network and the user is typically encrypted and has authentication to control its use. Network traffic between buildings could by physically protected where practical. But typically, this traffic travels through public networks, even if a dedicated communication path is provided. Point-to-point encryption is an option in these circumstances.

In some cases, the organization’s information systems (or some subset) are isolated from the Internet, so the organization physical perimeter is the final layer of protection. Otherwise, the final layer of controls is the interface between the organization’s information systems and the Internet, which is provided by perimeter systems. Some components include firewalls, antivirus and network traffic monitors. Often employees or other users can access the organization’s information systems through the perimeter. This requires robust authentication of the external users and more stringent host an application security controls to compensate for the increased threat event frequency associated with the perimeter. Some organization choose to isolate the external-facing information systems in a network segment that excludes normal internal organization network traffic.

In the last section, we defined information protection requirements to be used when you design your security control framework. Those requirements apply equally to information system. But we have added information system components and the protection objectives of confidentiality, integrity and availability. These requirements will also be composed of short requirements stated as a verb-phrase, followed with additional detail relevant to your circumstances.

Some of these details are drawn from regulatory requirements. The following illustrates requirement statements.

  • Define confidentiality, integrity and availability requirements for business systems.
  • Establish electronic identifier for network, host and application access control.
    • Employ a single badge for physical and computing access.
    • Require separate identifiers for users with privileged access.
  • Protect sensitive information during use and at rest in information systems.
  • Controlaccess to organization networks, hosts and applications.
  • Limit access to sensitive information to authorized users.
  • Controlauthorized access to business systems.
  • Destroy sensitive information when no longer needed.
  • Monitor for and respond to potential intrusions to information systems.
  • Investigate and dispense corrective action to individuals misusing information systems.
  • Manage and monitor suppliers providing information systems support.
  • Prepare for disasters with offsite backup storage and geographically separate hosting.
  • Push security requirement to transportation security.

Copyright © 2019 Christopher T. Carlson

Excerpt from How to Manage Cybersecurity Risk – A Security Leader’s Roadmap with Open FAIR

Return to Defense in Depth

Security Systems

Finally, we come to the security systems that are trusted to enable a variety of physical, computing and network security controls. This include capabilities such as card access systems for the physical perimeter, network perimeter firewalls and access control. Also included are centralized identity, authentication, key management and authorization systems that are leveraged to support computing and network security.

Prior to the mid-1990’s the organization’s information systems were entirely contained within the physical perimeter. Many organizations were swift in their adoption of the internet, with the desire to have a web presence and engage in e-commerce. Soon it became apparent that they had moved into a bad neighborhood containing threats that no longer had to overcome the organization’s physical perimeter in order to seek confidential information, deface web sites, and disrupt systems’ availability. Worse yet, the internet became awash with viruses attempting to attack systems, potentially adversely impacting confidentiality, integrity or availability.

The computing and network perimeter is much like the physical perimeter, providing a foundation for protecting the confidentiality, integrity and integrity of the information system. The first step is to limit the number of connections to the internet, which is analogous to access-controlled doors on the organization’s physical perimeter. As with doors, the incoming internet traffic must be screened for what is permitted and what is not. It is also common to control traffic leaving the organization, most commonly to prevent access to internet locations known to present a threat to the organization.

Organization users may access the internet anonymously (e.g. access to a public web site) or they may have authenticated access to an internet location. The data flows between the user and the internet must be allowed to flow both ways through the perimeter. Similarly, there may be users at internet locations who are permitted to access systems inside the organizations perimeter, such as employees working at home or on travel, and organization customers or suppliers who need access to organization systems in order to provide status and billing for materials being provided, or ordering and checking status on products being purchased. Fundamentally these all require an authentication at the perimeter in order to establish the connection. But what can arise is the burdensome requirement for a series of logons, such as logging on to the supplier’s information system, logging on to your organization’s perimeter, logging on to the host, and finally logging onto the desired application.

The ideal is to achieve a single sign on experience for users, employees as well as suppliers and customers. It is common to achieve single sign on for a hosting environment, which is commonly supported by Windows or UNIX operating systems. Applications can be configured to leverage the host authentication. It is also possible for one organization to trust the authentication of another organization. The Security Assertion Markup Language (SAML) can be leveraged for this purpose, accompanied by the establishment of the trust relationship between organizations and their information systems.

Copyright © 2019 Christopher T. Carlson

Excerpt from How to Manage Cybersecurity Risk – A Security Leader’s Roadmap with Open FAIR

Return to Defense in Depth

Computing and Network Security

Users’ access to the organization’s information systems is the next layer of control, composed of the network, host, application and database components. For the moment, we will use the case where the user is at work in the organization’s office, i.e., they have gone through the physical perimeter. Now they must gain access to the information system, much like gaining access to a container protecting information. The sign on requires the user to identify who they are (the userid) and validate that identity through something they know or have (e.g., password, pin, access card with chip). This process may have to be repeated in order to access different computers or to access specific applications. The risk to confidentiality, integrity and availability of information within the information system is reduced by the strength of the access controls, making it more difficult for unauthorized users to gain access. Today two-factor authentication has become necessary due to the high capabilities possessed by many threat agents.

Access administration is an important component of maintaining the difficulty for unauthorized users to gain access. It is quite natural to desire the ability to quickly authorize users to have access to everything they need to do their job. But if not managed properly, they may have access to systems not required for their job, increasing risk to confidentiality, integrity and availability. But often overlooked is the need to remove access when it is no longer required. Over a long career in a large organization, individuals gradually build up a large collection of authorized accesses. Even in organizations with careful screening practices, there is some small frequency of insiders who may become motivated to steal sensitive information. With poorly managed access, the information is effectively 100% vulnerable to these insiders. Obviously, they are continuing to act despite the deterrence of prosecution if they are caught.

High privilege accounts used by system operators and trusted processes are a necessary to manage and operate hosts. Like the special containers needed to protect security systems within the data center, these accounts need special controls to limit their use. Accounts with passwords are also needed to run business system applications, but there is the obvious problem of changing passwords regularly, and the need to have the password available to applications that initiate other processes.

Copyright © 2019 Christopher T. Carlson

Excerpt from How to Manage Cybersecurity Risk – A Security Leader’s Roadmap with Open FAIR

Return to Defense in Depth

Physical Security

Containers, from cabinets to secure buildings, play a similar role for protecting information systems as for protecting information. The hosts processing information are housed in facilities that effectively are security containers designed to protect the confidentiality, integrity and availability of the information systems. The confidentiality of data within computers is protected by limiting authorized access to devices.  The availability of systems is improved when housed in large data centers that are placed in locations that consider reduced threat event frequency by acts of nature (earthquakes, floods, wind damage) and provided with backup power that responds to reduce the impact of threat events. Finally, security control systems are also located within the facility. Since the integrity of these systems are the foundation for the security controls across the organization information system (e.g., encryption key controls), they may be placed within a container in the data center to further limit who is authorized access.

Copyright © 2019 Christopher T. Carlson

Excerpt from How to Manage Cybersecurity Risk – A Security Leader’s Roadmap with Open FAIR

Return to Defense in Depth

Personnel Security

Personnel security are the controls that enable people to play their foundational role in protecting information and information systems of the organization. All people have responsibilities to properly use the protective controls. Some people are additionally trusted to support the correct design or operation of security controls. Thus, personnel security is the foundation upon which all other controls operate. This section discusses key elements of personnel security and the associated roles.


Applicants for job openings are screened to prioritize the best qualified candidate to hire. The security screening is intended to confirm the candidate’s trustworthiness and can vary depending on the level of trust associated with the position. Screening can involve credit checks and inquiries into police records. Formal organization criteria should be applied by the person in authority to accept or reject a candidate.

Establish Duty to Protect

On the first day, every new employee typically signs an employment contract. One component establishes their duty to protect the organization’s proprietary information and information systems. There may be an additional information protection agreement or a system use agreement signed during an employee’s career, such as when government classified information is involved.

Security Briefings, Training and Awareness

The security leader is challenged with the fact that people are the first line of defense and are also as a group the weakest element of defense. Illustrative examples include allowing tailgaters through physical access controls, leaving a list of userids and passwords beside their workstation, and clicking on links within (what should be) suspicious SPAM email.

Your organization’s first day employee training needs a component on security practices relevant for everyone. You will also want specialized briefings for other roles such as managers and system administrators. The objective on the first day is that organization executive’s security expectations are understood and internalized by every new employee. Avoid death by PowerPoint, which will win no converts.

Additional training is appropriate when specific security skills must be learned, such as secure application development practices. It is unfortunately common for organization to invest in slick training modules and an array of current topics followed by a quiz to confirm skills. You will want to analyze the risk reduction benefit before proposing the investment in both development time and employees training time.

Promote Awareness

Employees receive education, training and awareness materials with the expectation that they will be equipped to play their very important role for information security. Do not underestimate the importance or difficulty of influencing user behavior. It is best to prioritize the few user behaviors that are of greatest importance, then reinforce them at reasonable intervals through the chain of control. For example, if wearing the organization badge is a key control, then the organization executive must model behavior by always being seen wearing the badge where it is clearly visible.

The organization executive must “walk the talk” on following security practices. Executive staff will naturally copy the executive’s behavior. Whenever some security incident or new practice is shared with employees, the organization executive must be the primary speaker, with you sufficiently visible on explaining details to reinforce your role.

Very selective use of security reminders can help users so long as they are relevant and helpful. By contrast, use of generic posters, such as “remember security” with a comical picture, is more likely to decrease your credibility then have any beneficial impact.

Finally, there will be instances when individuals fail to follow security practices. This results in an adverse impact to the organization. Your investigations organization presents findings to the disciplinary function who determines appropriate disciplinary action for the individual. It is valuable to publicize a summary of the investigation (non-attributed) including the disciplinary action as a practical reminder of the importance of personnel security and the consequences of failures.

Copyright © 2019 Christopher T. Carlson

Excerpt from How to Manage Cybersecurity Risk – A Security Leader’s Roadmap with Open FAIR

Return to Defense in Depth

Design Defense in Depth

Defense in depth is the application of multiple layers of controls are to defend against threats. Many security controls are applicable to a variety of assets and numerous threats. In some cases, the controls applied to one layer of defense may be redundant (e.g. belt and suspenders). In other cases, the controls may have complementary characteristics.

The following figure illustrates layers of defense, protecting the assets identified at the bottom.

Layers of Controls

Layers will be discussed in the following posts:

Copyright © 2019 Christopher T. Carlson

Excerpt from How to Manage Cybersecurity Risk – A Security Leader’s Roadmap with Open FAIR